Wednesday, May 23, 2012


And here I sit at another airport, Dallas-Ft. Worth this time, writing another blog post.  And yet again, I am reminded by an issue that continues to plague my forensic brethren.  The heavy reliance on tools.

I am a member of several forensic/IR mailing lists, I read the blogosphere, and I try to keep up with many of you on twitter.  In addition, I have a strong relationship and presence with many law enforcement agencies (local, state, federal and foreign) and the officers assigned to perform DF and IR.  I intentionally don't comment very much, mostly because I don't think very many people would like my answers, but I help out when and where I can.

So to get right down to it, I still see a strong reliance on tools to solve cases for you.  I have also seen a number of posts and tweets recently where investigators are trying to make certain tools do certain things they are either not well suited to do, or where a much better solution exists.  To all this, I say, "stop"!

Stop stop stop stop it!  

Relying on tools to solve your case for you in like relying on a pile of wood and a nail gun to build your house.  It doesn't work.  It's never going to work.  The sooner you come to that conclusion, the better off you will be.  Instead of simply ranting about tool reliance, allow me to explain myself.

All of our investigations are made up of data elements.  Some have evidentiary value, while others do not, but it's all there...plain ole data.  Just sitting there waiting to have something done with it.  The question investigators SHOULD BE ASKING FIRST is what question am I trying to answer, not what tool do I need to use!  How in the world could you possibly know what tool to use before you know what you are going to do, and why?  You can't!

Now, I understand that in some cases there are just "goto" tools.  For example, I use fls in each and every case to create a timeline, I use Log2timeline or regtime to add registry hives into my timeline, I use Reg Ripper to parse my registry hives into human readable text, I always dump log files into flat text with DumpEl, and I always use pstools to dump running process information.  So I get that you have to use certain tools by default to get you to a good starting point...I do the same thing.  But that's about where it ends for me.

I don't always pull web history, I don't always scan an image with AV, I don't always extract the $MFT, and I rarely use EnCase.  Why?  Because I don't always have to!  

For example, when I know malware has been deployed on a Point of Sale (POS) system by RDP, why would I need to pull web logs?  Answer...I don't.  We browser history has nothing to do with my case.  BUT, if I see that malware may have been downloaded...let's say by reviewing ntuser.dat hives from admin users, or from evidence I find in my timeline, then OK, I will grab web history to see if I can find an additional data point that would indicate that my malware was downloaded via the makes sense in that case to do so.

I don't always scan an image with AV.  Why would I?  For those of us that pretty much live and breathe malware,  we know that scanning with AV is only going to be marginally useful, if at all.  It's going to point out known samples or common variants, and that's about it.  If the malware is custom, or is a new variant the scans will be of no value.  You are FAR better off identifying the running processes and looking for common IOCs and APIs used by the different types of malware depending on functionality.  BUT, if I am asked to find all occurrences of malware on a specific system, regardless of what it is or what it does, sure...I will scan it...because that's what I was asked to do.

I don't always extract the $MFT...b/c I don't always have to.  Since a timeline is generated from the Standard Information ($SI) attribute anyway, I already have half of the $MFT don't I?  The only time I would extract and parse the $MFT...which Harlan's is awesome when I suspect chronological (aka timestopming) modification has taken place.  HOW do I know that timestomping has taken place if I don't first parse the $MFT and compare the $SI to the File Name ($FN) attribute?  I have seen it before, and I know what the IOCs are.  I know what signs to look for that would lead me to believe that some kind of modification has taken place.  Things like pre-fetch files that are identical to creation times save for the year, the mili-seconds field being set to all zeros, and files located with other files I know to be components of the malware, with different creation times. 

So OK Chris...what's your point here?  To simply berate us for using and relying to tools to give us information?  We NEED that information to solve the heck else are we suppose to do our jobs?

GREAT point!  So let me answer...USAGE of tools is OK, and like you said, you cannot do your job without them!  Neither can I.  RELIANCE on tools to do the work for you is not OK...and as Cory would say, "it is the suck".

Step back for a moment and breathe in...and breathe out.  Clear your head and just think.  What are you doing?  What question are you trying to answer?  Why?  What information do you need to answer that question?  What does the data tell you?  These questions are the essence of the Sniper Forensics methodology.  I (among others) have been talking about this philosophical shift for four years and yet there is still considerable resistance in the community, which I really don't understand.

The best tool in your toolbox is your brain.  What Harlan has dubbed, "Wetware".  Think through your cases.  Ask a LOT of questions.  Actually take the time to answers your questions.  Let the data guide your theory.  It's really not that complicated when you break it down into smaller, more manageable components.

I will close this post with a short story.  I was recently asked to assist a LE Officer with a case he had been working on for a month.  I started by asking him a lot of questions...what are you trying to do?  What was the crime?  What information are you hoping to identify?  How will that information help your case if we find it?  How will it change your investigation if the data is not there?  What is the timeframe of the incident?  How do you know that was the timeframe?  What supporting evidence do you have that indicates that timeframe is accurate?  After listening carefully to his answers and writing them down in my case notes, I knew exactly what to do. 

I created my investigation plan.  Indicated what I was looking for and why.  I took notes on where I would likely find that data, what it would generally look like, and what I would do if I found it, as well as what I would do if I didn't find it.  In total, about 30 minutes of pre-work...maybe 45 since I was drinking a cup of coffee and typing at the same time.

When I actually put fingers to keyboard I found what the officer was looking for, and helped him solve the case in...wait for it...waaaaaaiiiittt for it....15 minutes.  He had been haphazardly looking for "bad stuff" for a full month...four weeks...30 days.  It took me longer to write my notes and drink my coffee than it did to find the evidence he was looking for.  Why you ask?  Because I took the time to use my Wetware!  I actually THOUGHT about what I was going to do, why, and what I was looking for before I ever put my hands on the keyboard, mounted an image, or touched any piece of data.

OK show's ONE case.  You got lucky.  My cases are's simply not that simple for me!

Good point...and maybe you are correct.  BUT, I have been using this methodology for four years, in each and every case.  For us in the SpiderLabs, that equates to just under 1000 cases (yes, we keep track).  So my team, in almost 1000 cases have seen this methodology work each and every time.  Without fail, and without exception.  Small cases with a single piece of evidence (like an SD card) to huge cases with hundreds of systems.  It just plain works.

So, for all you naysayers out there, for the skeptics and the old school "pull-the-pluggers", I say,  "try it".  Try doing it my way.  What do you have to lose?  Certainly not more time!  What do you have to gain?  How about solving your cases in a fraction of the time you currently solve them in?  How about clearing your ever increasing backlog?  Sounds like a pretty safe trade to me.

Happy Hunting.

Friday, May 18, 2012

Thursday, May 10, 2012

SecTor 2012 First Round!

Sniper Forensics: Reloaded has been accepted in the first round of CFP selections at SecTor 2012!

This is one of the best security conferences of the year!  If you have never been, I HIGHLY recommend it.

Wednesday, May 9, 2012

Repins Forensics this my interpretation of, "Bizarro" forensics, which sadly, REALLY still happens.  I was recently reminded of not only this, but of just how big the forensic world is, how many investigators there are, and how far we still have to go.

Sniper Forensics (SF) is the targeted approach to conducting forensic investigations.  It helps the investigator to use logic to guide his/her investigation to find answers, not just gather data.  Now, I am not going to rehash SF, but I just wanted to mention it briefly for the purpose of comparison.

The opposite of SF would be to illogically and haphazardly gather data that may or may not be relevant to the case (who cares if it makes sense, just pull the plug and gather everything).  You would form your theory of what you or your client thinks happened, and force all of your evidence into that theory.  You would ignore any evidence that was contrary to that theory, and think anyone who actually questioned what you did or the way you did it, is just plain wrong.

When asked questions like, "Did you perform Registry Analysis, Memory Analysis, or Pcap Analysis" you say..."Yes...I found nothing of evidentiary value".  Then I may ask, "OK, what kind of analysis did you perform?  What were you looking for?"  You would answer something like, "I did analysis...I didn't find anything".

You would then defend your lack of findings by stating that the evidence was not clear what took place.  While you can never be 100% certain of what happened, based on my analysis and experience, there was no breach that is evident.

This may sound ridiculous, but it is sadly true.  There are still investigators that think like this, and cases that work like this.  Do you know of any?  I would love to hear your stories of Bizarro Foreniscs!  Email them to me and I will create a blog series with the best of the worst.  Should be entertaining!

I am working on my example now.  It's pretty bad...and yes...we found the breach and it was ugly!